PingFederateOnline Help

SafeNet Trusted Access for PingFederate

Overview

Configuring SafeNet Trusted Access for PingFederate is a three-step process:

1.PingFederate setup

2.SafeNet Trusted Access setup

3.Verify authentication

PingFederate Setup

As a prerequisite, download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps given below.

Configuring PingFederate

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in PingFederate:

1.Log in to PingFederate as an administrator using the following URL:

https://<DNS Name or IP Address of the PingFederateServer>:9999/pingfederate/app

Where, <DNS NAME> is the fully qualified name of the machine on which the PingFederate server is running.

2.On the PingFederate administrator dashboard, in the left pane, click Service Provider and then in the right pane, under IDP CONNECTIONS, click Create New.

3.Under IdP Connection, on the Connection Type tab, ensure that BROWSER SSO PROFILES check box is selected, and then click Next.

4.On the Connection Options tab, ensure that BROWSER SSO check box is selected, and then click Next.

5.On the Import Metadata tab, perform the following steps:

a.In the METADATA field, select the FILE option.

b.Click Choose file to search for and select the identity provider metadata file that you downloaded earlier from the STA console.

c.Click Next.

6.On the Metadata Summary tab, click Next.

7.On the General Info tab, values in the PARTNERS ENTITY ID (CONNECTION ID), CONNECTION NAME, and BASE URL fields are populated from the metadata file. In the CONNECTION NAME field, you can change the connection name (for example, STA_PingFederate) as this is an identifier for this connection. Click Next.

8.On the Browser SSO tab, click Configure Browser SSO.

9.Under Browser SSO, on the SAML Profiles tab, perform the following steps:

a.Under Single Sign-On (SSO) Profiles, select IDP-INITIATED SSO and SP-INITIATED SSO check boxes.

b.Under Single Logout (SLO) Profiles, select SP-INITIATED SLO check box.

c.Click Next.

10.On the User-Session Creation tab, click Configure User-Session Creation to:

Choose an identity-mapping method.

Define the attribute contract that you will use with this partner, if any.

Configure instances of one or more target sessions and specify their usage to fulfill the contract.

11.Under User-Session Creation, on the Identity Mapping tab, ensure that the ACCOUNT MAPPING option is selected, and then click Next.

12.On the Attribute Contract tab, a set of user attributes are displayed that IdP will send in the assertion. Click Next.

13.On the Target Session Mapping tab, click Map New Adapter Instance to map an adapter instance for each target application on your system.

14.Under Adapter Mapping & User Lookup, on the Adapter Instance tab, in the ADAPTER INSTANCE field, select SP Adapter, and then click Next.

15.On the Adapter Data Store tab, ensure that the USE ONLY THE ATTRIBUTES AVAILABLE IN THE SSO ASSERTION option is selected , and then click Next.

16.On the Adapter Contract Fulfillment tab, perform the following steps:

a.For each Adapter Contract, in the Source column, select Assertion.

b.For each Adapter Contract, in the Value column, select a Value as per your preferred configuration.

c.Click Next.

17.On the Issuance Criteria tab, click Next.

18.On the Summary tab, review the configuration, and then click Done.

19.Under User-Session Creation, on the Target Session Mapping tab, click Next.

20.On the Summary tab, review the configuration, and then click Done.

21.Under Browser SSO, on the User-Session Creation tab, click Next.

22.On the Protocol Settings tab, click Configure Protocol Settings.

23.Under Protocol Settings, on the SSO Service URLs tab, perform the following steps:

a.In the Binding column, in the drop-down list, select POST.

b.In the Endpoint URL column, in the field, enter the SingleSignOnService URL that is provided on the SafeNet Trusted Access console.

You can copy this URL by clicking on the Copy to Clipboard icon available next to the SingleSignOnService field.

c.In the Action column, click Add.

d.Click Next.

24.On the SLO Service URLs tab, perform the following steps:

a.In the Binding column, in the drop-down list, select POST.

b.In the Endpoint URL column, enter the SingleSignOnService URL that is provided on the SafeNet Trusted Access console.

You can copy this URL by clicking on the Copy to Clipboard icon available next to the SingleSignOnService field.

c.In the Action column, click Add.

d.Click Next.

25.On the Allowable SAML Bindings tab, select POST and REDIRECT check boxes, and then click Next.

26.On the Overrides tab, in the DEFAULT TARGET URL field, enter https://<Ping Federate IP Address>:9031/quickstart-app-sp/go, and then click Next.

27.On the Signature Policy tab, ensure that the USE SAML-STANDARD SIGNATURE REQUIREMENTS option is selected, and then click Next.

28.On the Encryption Policy tab, ensure that the NONE option is selected, and then click Next.

29.On the Summary tab, click Done.

30.Under Browser SSO, on the Protocol Settings tab, click Next.

31.On the Summary tab, review the configuration, scroll down, and then click Done.

32.Under IdP Connection, on the Browser SSO tab, click Next.

33.On the Credentials tab, click Configure Credentials.

34.On the Digital Signature Settings tab, perform the following steps:

a.In the SIGNING CERTIFICATE field, select your PingFederate server’s signing certificate that you will use to sign SAML requests, responses, and assertions.

b.In the SIGNING ALGORITHM field, ensure that RSA SHA256 is selected.

c.Click Next.

35.On the Signature Verification Settings tab, click Manage Signature Verification Settings.

36.Under Signature Verification, on the Trust Model tab, ensure that the UNANCHORED option is selected, and then click Next.

37.On the Signature Verification Certificate tab, in the PRIMARY field, select the partner certificate, and then click Next.

38.On the Summary tab, click Done.

39.Under Credentials, on the Signature Verification Settings tab, click Next.

40.On the Summary tab, review the configuration, and then click Done.

41.On the Credentials tab, click Next.

42.Under IdP Connection, on the Activation & Summary tab, in the Connection Status field, select the ACTIVE option.

43. Scroll down, and then click Save.

Exporting the PingFederate Metadata

Perform the following steps to export the PingFederate metadata:

1.On the PingFederate administrator console, in the left pane, click Server Configuration.

2.In the right pane, under ADMINISTRATIVE FUNCTIONS, click Metadata Export.

3.Under Export Metadata, on the Metadata Role tab, select the I AM THE SERVICE PROVIDER (SP) option, and then click Next.

4.On the Metadata Mode tab, ensure that the USE A CONNECTION FOR METADATA GENERATION option is selected, and then click Next.

5.On the Connection Metadata tab, perform the following steps:

a.In the dropdown list, select the connection that you created (for example, STA_PingFederate) in step 7 of Configuring SafeNet Trusted Access Setup, for which you want to create metadata.

b.Click Next.

6.On the Metadata Signing tab, in the SIGNING CERTIFICATE field, select a certificate, and then click Next.

7.On the Export & Summary tab, scroll down, and then click Export. The PingFederate metadata file will be downloaded automatically, save it on your local machine.

8.Click Done.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in PingFederate, the second step is to activate the PingFederate application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the PingFederate application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, PingFederate) and proceed to the next step.

2.Under STA Setup, click Upload PingFederate Metadata.

3.On the Metadata upload window, click Browse to search and select the PingFederate metadata that you downloaded earlier in step 7 of Exporting the PingFederate Metadata.

Under Account Details, the service provider metadata information is displayed.

4.Click Save Configuration to save the details and activate the PingFederate application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the PingFederate login URL, https://<DNS Name or IP Address:<port no> /quickstart-app-sp/go>

You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the PingFederate hosted target application after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the PingFederate application icon, and you should be redirected to the PingFederate hosted target application after authentication.

 

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.